cbcvebase.
CVE-2020-11803
published 2020-09-17

CVE-2020-11803: An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.55%
93.8th percentile
An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page.

Affected

2 ranges
VendorProductVersion rangeFixed in
juniperjunos_os
titanhqspamtitan

Detection & IOCsextracted from sources · hover to see the quote

path/mailqueue.php
commandgotopage+a+";$b="<b64>";shell_exec(base64_decode(urldecode($b)));die();$b="
path/tmp/r.py
path/certs-x.php
path/certs.php
port4242
filenamerev.py
  • Monitor HTTP POST requests to mailqueue.php where the 'jaction' parameter contains PHP code constructs such as shell_exec, base64_decode, or eval-injectable payloads (e.g., semicolons, dollar-sign variable assignments, or die() calls).
  • Alert on POST requests to mailqueue.php with a jaction parameter value matching the pattern: gotopage+a+";$b=...;shell_exec(base64_decode(urldecode(...)));die();
  • Detect outbound wget requests from the SpamTitan host to external URLs followed by execution of a downloaded Python script at /tmp/r.py, which is indicative of reverse shell staging.
  • Monitor for CSRF token extraction patterns in HTTP responses from certs.php (regex: 'var csrf_token_postdata =.*CSRFName=(.*)&CSRFToken=(.*)') followed immediately by a POST to mailqueue.php or certs-x.php — this sequence is characteristic of the exploit chain.
  • Flag inbound connections to port 4242 from the SpamTitan server IP, as the PoC exploit defaults to this port for the reverse shell listener.
  • ·Exploitation requires prior authentication to the SpamTitan web platform; unauthenticated access alone is insufficient to trigger the eval() injection via jaction.
  • ·The vulnerability likely affects versions prior to 7.07 as well, so detection and patching scope should not be limited to exactly version 7.07.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.